Ensuring Payment Flow

Whose Responsibility is Cybersecurity? As an SME Leader, What Is My Role?

Where does cybersecurity begin? Protecting values in the digital space (data, financial assets, access), Awareness (at leadership and employee levels), involving external experts, training, knowledge sharing, and sensitization.

This panel discussion explores why cybersecurity for SMEs is not actually an "IT issue," but a matter of business risk management. It is just as much a part of leadership responsibility as financial controls, fraud prevention, or compliance. Whose responsibility is it, where does security start, and what should a CEO do even if they don't have a dedicated IT team? The focus of the conversation is on which assets we must protect in the digital space—data, financial assets, access, business continuity, and reputation—and how to build this protection effectively on an SME scale with proportionate investment.

During these 45 minutes, we will define what "Minimum Viable Cybersecurity" looks like for an SME. We will examine typical attack patterns—such as CEO fraud, invoice manipulation, fake supplier emails, phishing, and ransomware—that link directly to financial fraud, and discuss how to prevent them at the operational level. Special attention will be paid to the boundaries of responsibility:

• Leadership Decisions: Risk appetite, priorities, budgets, rules, and controls.

• IT/Operations: Technical protection, access management, and logging.

• Finance, HR, or Operations: Approval workflows, onboarding/offboarding, and supplier data management.

The goal is for participants to leave with a tangible answer: "If I have to fix one thing as a CEO tomorrow morning, what should it be?"

The second pillar of the discussion is awareness. We will discuss why the user remains the most common entry point and how to sensitize employees (and managers) so they view security not as a "compliance chore," but as a routine that protects their own work. We will cover how to build a simple, regular cyber-hygiene program using micro-learning, simulations, internal communication, and metrics. We will also discuss linking disciplined financial processes—such as two-step payment approvals, verification of changes to supplier data, and the principle of least privilege—with cybersecurity defense.

Finally, the panel provides practical answers on when and how to involve external experts. We will discuss in which situations a "health check" or audit is sufficient, when managed services (e.g., security monitoring) are necessary, and what questions an SME leader should ask vendors to avoid making decisions based solely on marketing promises. We will outline what an SME-level incident response playbook looks like (who does what in the first hour, who to contact, what to document) and which minimal technical and organizational controls offer the best return on investment.

By the end of the session, participants will have a leadership-oriented yet action-focused roadmap of where cybersecurity begins, how protecting digital assets becomes part of defending against financial fraud, and what specific, SME-compatible steps can significantly reduce exposure in a short period.